ISO Standard

ISO/IEC 38500:2008, Corporate governance of information technology, provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.

The standard will assist directors in assuming conformance with obligations – regularly, legislation, common law, contractual – concerning the acceptable use of IT and to have a proper corporate governance of IT.

The framework comprises definitions, principles and a model. It sets out six principles for good corporate governance of IT:
- Responsibility;
- Strategy;
- Acquisition;
- Performance;
- Conformance;
- Human behaviour.

Information Security Policy

1. Whether there exists an Information security policy, which is approved by the management, published and communicated as appropriate to all employees.
2. Whether the policy states management commitment and sets out the organizational approach to managing information security.
3. Whether the Information Security Policy is reviewed at planned intervals, or if significant changes occur to ensure its continuing suitability, adequacy and effectiveness.
4. Whether the Information Security policy has an owner, who has approved management responsibility for development, review and evaluation of the security policy.

Internal Organization

Confuse about BS17799, ISO17799, ISO27001 or ISO27002? Actually of the standard is same refers to Information Security Management System. Here is the history and comparison of the Security Standard, from 1992 to 2007 latest ISO27002

1992: The Department of Trade and Industry (DTI), which is part of the UK Government, publish a 'Code of Practice for Information Security Management'.

1995: This document is amended and re-published by the British Standards Institute (BSI) in 1995 as BS7799.

1996: Support and compliance tools begin to emerge, such as COBRA. David Lilburn Watson becomes the first qualified certified BS7799 c:cure Auditor

1999: The first major revision of BS7799 was published. Thsi included many major enhancements. Accreditation and certification schemes are launched. LRQA and BSI are the first certification bodies.

2000: In December, BS7799 is again re-published, this time as a fast tracked ISO standard. It becomes ISO 17799 (or more formally, ISO/IEC 17799).

2001: The 'ISO 17799 Toolkit' is launched.

New ISO/IEC 24762:2008 provides guidance on:

• Implementing, operating, monitoring and maintaining the necessary facilities and services necessary for disaster recovery.
• Fallback and recovery support for the organization’s ICT systems.
• The capabilities which outsourced ICT disaster recovery service providers should possess and the practices they should follow, so as to provide basic secure operating environments and facilitate the organizations' recovery efforts.
• The selection of a recovery site (e.g. considering factors such as environmental stability, good infrastructure, etc.), and
• Requirements for ICT DR service providers to continuously improve their ICT DR services.

view standard here

When coming to standardization, we face the common problem about who is eligible to release the standard. The standard in industrial product is easier than standard in policies or procedures. For the example, standard for video storage in VCR era. The competition between Betamax and VHS, or current competition in Digital Disc. Compare to standard in security such as BS17799 or ISO27001.

As you can see, the competition of industrial product standard is easier to be defined; who win the standard will be used by others. This easy because at the end the consumer who will buy the product is same: global society and nobody cares who release the standard.

Choosing the regulatory standard is really depend on the political situation in every country that using the standard. US Standard usually more effective in the country that it’s economical depend to US. And who follow British Standard maybe has an interaction more with British.

But if your company doesn't have any relation, which type of standard will you choose? Here is my suggestion.

1. Choose ISO first